Java Cookie Serializer Secure False
Description
Detects when Spring Session's DefaultCookieSerializer is used without enabling secure cookies. This configuration could allow session cookies to be transmitted over insecure HTTP connections, potentially exposing sensitive session data to interception.
Detection Strategy
• Check if Spring Session HTTP library (org.springframework.session.web.http) is imported in the code
• Look for instances where DefaultCookieSerializer class is instantiated
• Verify if setUseSecureCookie() method is not called on the serializer instance
• Report a vulnerability if the secure cookie setting is not explicitly enabled
Vulnerable code example
import org.springframework.session.web.http.CookieSerializer;
import org.springframework.session.web.http.DefaultCookieSerializer;
import org.springframework.context.annotation.Bean;
public class InsecureCookieConfig {
@Bean
public CookieSerializer cookieSerializer() {
DefaultCookieSerializer serializer = new DefaultCookieSerializer(); // Vulnerable: secure cookie flag not set...✅ Secure code example
import org.springframework.session.web.http.CookieSerializer;
import org.springframework.session.web.http.DefaultCookieSerializer;
import org.springframework.context.annotation.Bean;
public class SecureCookieConfig {
@Bean
public CookieSerializer cookieSerializer() {
DefaultCookieSerializer serializer = new DefaultCookieSerializer();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.